diff --git a/docker-compose-cleandb.sh b/docker-compose-cleandb.sh new file mode 100755 index 0000000000..b1e554bbc0 --- /dev/null +++ b/docker-compose-cleandb.sh @@ -0,0 +1,10 @@ +#!/usr/bin/env bash + +# Use this to test and initdb script sql file changes +# +docker compose down --volumes postgres + +volume_name=$(basename `pwd` | tr '[:upper:]' '[:lower:]')_postgres_data + +docker volume rm $volume_name -f + diff --git a/docker-compose.yml b/docker-compose.yml index 0ce338c9e7..df203b5771 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,4 +1,3 @@ -version: '2' services: dependencies: image: orcid/registry-dependencies:${TAG:-0.0.1} @@ -7,9 +6,16 @@ services: context: . args: tag_numeric: ${TAG:-0.0.1} - # stop dependencies from being started with a compose up profiles: - build + networks: + custom_network: + ipv4_address: 10.20.0.2 + extra_hosts: + - "dependencies:10.20.0.2" + - "redis:10.20.0.3" + - "postgres:10.20.0.4" + - "haprouter:10.20.0.5" redis: image: orcid/registry/redis:7.2.5-alpine @@ -19,8 +25,16 @@ services: context: . dockerfile: redis/Dockerfile profiles: - - database + - db - dev + networks: + custom_network: + ipv4_address: 10.20.0.3 + extra_hosts: + - "dependencies:10.20.0.2" + - "redis:10.20.0.3" + - "postgres:10.20.0.4" + - "haprouter:10.20.0.5" postgres: image: postgres:13.13-alpine3.19 @@ -34,12 +48,55 @@ services: ports: - '5432:5432' profiles: - - database + - db + - dev + networks: + custom_network: + ipv4_address: 10.20.0.4 + extra_hosts: + - "dependencies:10.20.0.2" + - "redis:10.20.0.3" + - "postgres:10.20.0.4" + - "haprouter:10.20.0.5" + + haprouter: + image: ${DOCKER_REG_PRIVATE}/orcid/registry/orcid-haprouter:${TAG:-0.0.1} + build: + context: . + dockerfile: orcid-haprouter/Dockerfile + extra_hosts: + - "nowhere:127.0.0.1" + - "dependencies:10.20.0.2" + - "redis:10.20.0.3" + - "postgres:10.20.0.4" + - "haprouter:10.20.0.5" + environment: + POSTGRES_READ_FQDN_A: postgres + POSTGRES_READ_FQDN_B: nowhere + POSTGRES_READ_FQDN_C: nowhere + POSTGRES_WRITE_FQDN_A: postgres + POSTGRES_WRITE_FQDN_B: nowhere + POSTGRES_WRITE_FQDN_C: nowhere + SOLR_READ_FQDN_A: solr + SOLR_READ_FQDN_B: nowhere + SOLR_READ_FQDN_C: nowhere + SOLR_WRITE_FQDN_A: solr + SOLR_WRITE_FQDN_B: nowhere.local + SOLR_WRITE_FQDN_C: nowhere.local + ports: + - 0.0.0.0:8888:1936 # stats + - 0.0.0.0:7432:7432 # solr read + - 0.0.0.0:7983:7983 # solr write + - 0.0.0.0:7432:7432 # postgres read + - 0.0.0.0:6432:6432 # postgres write + networks: + custom_network: + ipv4_address: 10.20.0.5 + profiles: - dev lb: image: ${DOCKER_REG_PRIVATE}/orcid/registry/orcid-lb:${TAG:-0.0.1} - # entrypoint: sleep infinity build: context: . dockerfile: orcid-lb/Dockerfile @@ -49,10 +106,8 @@ services: profiles: - dev - # orcid-angular project frontend: image: ${DOCKER_REG_PRIVATE}/orcid/registry/orcid-web-frontend-${FRONTEND_LABEL:-qa}:${FRONTEND_TAG:-0.0.1} - # entrypoint: sleep infinity build: context: . dockerfile: 'FIXME: must build in the orcid-angular project first Dockerfile.build' @@ -64,7 +119,6 @@ services: web_proxy: image: ${DOCKER_REG_PRIVATE}/orcid/registry/orcid-web-proxy:${TAG:-0.0.1} - # entrypoint: sleep infinity build: context: . dockerfile: orcid-web-proxy/Dockerfile @@ -81,7 +135,6 @@ services: web: image: ${DOCKER_REG_PRIVATE}/orcid/registry/orcid-web:${TAG:-0.0.1} - # entrypoint: sleep infinity build: cache_from: - orcid/registry-dependencies:${TAG:-0.0.1} @@ -90,17 +143,13 @@ services: args: tag_numeric: ${TAG:-0.0.1} env_file: - # defaults and dev config for all apps - default.env - properties/default.orcid_core.env - properties/default.misc.env - properties/default.frontend.env - properties/default.persistence.env - # defaults and dev config per app - orcid-web/default.env - # config written out by our deployment system - orcid-web/deployment.env - # anything secure that is non prod separated goes here - ${DOCKER_DEV_ENV_FILE:-empty.env} ports: - 0.0.0.0:13100:8080 @@ -108,5 +157,12 @@ services: - dev - ui +networks: + custom_network: + driver: bridge + ipam: + config: + - subnet: 10.20.0.0/16 + volumes: postgres_data: diff --git a/orcid-haprouter/Dockerfile b/orcid-haprouter/Dockerfile new file mode 100644 index 0000000000..b29bb359a2 --- /dev/null +++ b/orcid-haprouter/Dockerfile @@ -0,0 +1,4 @@ +FROM haproxy:2.4.24-bullseye + +COPY orcid-haprouter/haproxy.cfg /usr/local/etc/haproxy/haproxy.cfg + diff --git a/orcid-haprouter/haproxy.cfg b/orcid-haprouter/haproxy.cfg new file mode 100644 index 0000000000..2683b87a68 --- /dev/null +++ b/orcid-haprouter/haproxy.cfg @@ -0,0 +1,169 @@ +resolvers docker + nameserver dns 127.0.0.11:53 + parse-resolv-conf + accepted_payload_size 8192 + hold valid 10s + hold other 30s + hold refused 30s + hold nx 30s + hold timeout 30s + hold obsolete 30s + + # How many times to retry a query + resolve_retries 3 + + # How long to wait between retries when no valid response has been received + timeout retry 1s + + # How long to wait for a successful resolution + timeout resolve 1s + +global + stats timeout 30s + daemon + maxconn 6000 + # Default SSL material locations + ca-base /etc/ssl/certs + crt-base /etc/ssl/private + # Default ciphers to use on SSL-enabled listening sockets. + # For more information, see ciphers(1SSL). This list is from: + # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ + ssl-default-bind-ciphers kEECDH+aRSA+AES:kRSA+AES:+AES256:RC4-SHA:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL + ssl-default-bind-options no-sslv3 + # Default ciphers to use on SSL-enabled listening sockets. + # For more information, see ciphers(1SSL). This list is from: + # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ + ssl-default-server-ciphers kEECDH+aRSA+AES:kRSA+AES:+AES256:RC4-SHA:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL + ssl-default-server-options no-sslv3 + nbproc 1 + + tune.ssl.default-dh-param 2048 + ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS + ssl-default-bind-options no-sslv3 + +defaults + log global + mode http + option httplog + option dontlognull + option log-separate-errors + timeout connect 5s + timeout client 100s + timeout server 100s + stats show-modules + stats show-legends + +listen stats-1936 + description haproute Loadbalancer + bind 0.0.0.0:1936 + mode http + stats enable + stats uri / + stats hide-version + stats show-node + +##################################################################################### + +# +# Frontends +# + +# Solr + +frontend solr-read-7983 + description Frontend for Solr + bind 0.0.0.0:7983 + mode http + timeout client 300s + monitor-uri /haproxy-status + acl solrs_dead nbsrv(reg-solr-read) lt 1 + http-request set-log-level silent + default_backend reg-solr-read + +frontend solr-write-6983 + description Frontend for Solr writes + bind 0.0.0.0:6983 + mode http + timeout client 300s + monitor-uri /haproxy-status + acl solrs_dead nbsrv(reg-solr-write) lt 1 + http-request set-log-level silent + default_backend reg-solr-write + +# Postgres + +frontend reg-postgres-read-7432 + description Frontend for Postgres read + bind 0.0.0.0:7432 + mode tcp + timeout client 70m + monitor-uri /haproxy-status + acl postgres_dead nbsrv(reg-postgres-read) lt 1 + http-request set-log-level silent + default_backend reg-postgres-read + +frontend reg-postgres-write-6432 + description Frontend for Postgres writes + bind 0.0.0.0:6432 + mode tcp + timeout client 70m + monitor-uri /haproxy-status + acl postgres_dead nbsrv(reg-postgres-write) lt 1 + http-request set-log-level silent + default_backend reg-postgres-write + +# +# Backends +# + +# Solr + +backend reg-solr-read + description backend for solr cluster + mode http + balance leastconn + option httpchk GET /solr/profile/admin/ping + option redispatch 2 + http-check expect status 200 + timeout server 300s + timeout check 20s + default-server check maxconn 500 inter 20s init-addr libc,last,none + server "${SOLR_READ_FQDN_A}-read-a" "${SOLR_READ_FQDN_A}":8983 + server "${SOLR_READ_FQDN_B}-read-b" "${SOLR_READ_FQDN_B}":8983 + server "${SOLR_READ_FQDN_C}-read-c" "${SOLR_READ_FQDN_C}":8983 + +backend reg-solr-write + description Solr master running in tomcat statically set + mode http + balance leastconn + option httpchk GET /solr/profile/admin/ping + option redispatch 2 + http-check expect status 200 + timeout server 300s + timeout check 20s + default-server check maxconn 500 inter 20s init-addr libc,last,none + server "${SOLR_WRITE_FQDN_A}-write-a" "${SOLR_WRITE_FQDN_A}":8983 + server "${SOLR_WRITE_FQDN_B}-write-b" "${SOLR_WRITE_FQDN_B}":8983 + server "${SOLR_WRITE_FQDN_C}-write-c" "${SOLR_WRITE_FQDN_C}":8983 + +# Postgres + +backend reg-postgres-read + mode tcp + balance leastconn + option pgsql-check user pgc + timeout server 70m + default-server inter 5000 fastinter 2000 downinter 5000 rise 2 fall 3 port 5432 init-addr libc,last,none + server "${POSTGRES_READ_FQDN_A}-read-a" "${POSTGRES_READ_FQDN_A}":5432 check port 5432 + server "${POSTGRES_READ_FQDN_B}-read-b" "${POSTGRES_READ_FQDN_B}":5432 check port 5432 + server "${POSTGRES_READ_FQDN_C}-read-c" "${POSTGRES_READ_FQDN_C}":5432 check port 5432 + +backend reg-postgres-write + mode tcp + balance leastconn + option pgsql-check user pgc + timeout server 70m + default-server inter 5000 fastinter 2000 downinter 5000 rise 2 fall 3 port 5432 init-addr libc,last,none + server "${POSTGRES_WRITE_FQDN_A}-write-a" "${POSTGRES_WRITE_FQDN_A}":5432 check port 5432 + server "${POSTGRES_WRITE_FQDN_B}-write-b" "${POSTGRES_WRITE_FQDN_B}":5432 check port 5432 + server "${POSTGRES_WRITE_FQDN_C}-write-c" "${POSTGRES_WRITE_FQDN_C}":5432 check port 5432